Sponsored by..

Friday 23 October 2015

Malware spam: "Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)"

This fake financial spam has a malicious attachment:

From:    Accounts [message-service@post.xero.com]
Date:    23 October 2015 at 15:08
Subject:    Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)

Hi Mattie,

Attached is your credit note CN-06536 for 8954.41 GBP.

This has been allocated against invoice number

If you have any questions, please let us know.

Thanks,
Avnet, Inc.
The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc ..  but  it's actually a ZIP file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe  and has a VirusTotal detection rate of 4/55. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan.

Analysis is still pending for this malware (please check back later) but the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.

UPDATE:
The Hybrid Analysis report is here, reporting the Nigerian IP and also showing that the malware saves itself as:
%TEMP%\homebast.exe
C:\Windows\mLunoMqU.exe




No comments: